Privacy Policy
This Privacy Policy describes how Capstacker Inc. ("Capstacker," "we," "us," or "our") collects, uses, and protects personal information when you use our platform and services.
Capstacker operates a software platform that enables startups and independent operators to structure, document, and track flexible compensation arrangements.
By accessing or using the platform, you agree to this Privacy Policy.
1. Scope and Role
Capstacker acts as a data controller with respect to account, profile, usage, and platform data collected directly from users.
Capstacker does not process banking credentials, government identification documents, biometric identifiers, or sensitive personal data. Payment processing and related compliance (including KYC, AML, and merchant-of-record services) are handled by third-party providers as described in Section 3.
Capstacker Inc. is the data controller for purposes of the General Data Protection Regulation (GDPR).
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Full name
- Email address
- Authentication method (Google, LinkedIn, or email OTP)
- Basic profile data shared through OAuth (if applicable)
- Role or domain selection
We do not receive or store third-party account passwords.
2.2 Profile Information
Depending on user type, we may collect:
For Startup Founders:
- Company stage and team size
- Execution readiness indicators
- Optional product links and traction signals
- Optional revenue proof links
For Operators:
- Professional experience and expertise
- Engagement history
- Work samples and portfolio materials
- Optional video introductions
- Reference contact information (see Section 2.5)
Providing optional information is voluntary. You may choose not to provide certain personal data; however, this may limit access to certain features of the Services.
2.3 Deal and Transaction Data
- Listing details
- Proposals and negotiation communications
- Compensation structures (cash, equity, milestones)
- Signed agreements executed via DocuSeal (see Section 3)
- Milestone tracking data
Capstacker does not store full payment card numbers or bank account credentials.
2.4 Usage and Technical Data
- IP address
- Device and browser type
- Session activity
- Platform interaction logs
This data is used for security, fraud prevention, and service improvement.
2.5 Reference Contact Information
Operators may optionally provide contact information for professional references. This constitutes personal data of individuals who may not have a direct relationship with Capstacker.
Where Capstacker contacts a reference, that individual will receive a privacy notice at the point of first contact explaining how their information is held and used. Reference contact data is retained only for as long as necessary to support the active engagement for which it was provided, and is deleted within 90 days of the relevant engagement concluding or upon account deletion, whichever is earlier.
If you are a reference contact and would like to request deletion of your information, please contact us at privacy@capstacker.io.
3. Payment Processing and Subprocessors
Stripe
Capstacker uses Stripe to process payments and, where applicable, perform merchant-of-record services and regulatory compliance (including KYC). Stripe acts as an independent data controller for payment and identity verification data processed through its systems. Such processing is governed by Stripe's own privacy policy at stripe.com/privacy.
Capstacker does not store or control sensitive payment credentials.
DocuSeal
Capstacker uses DocuSeal to facilitate the execution and storage of legally binding agreements on the platform. Where agreements contain personal data of users or third parties, that data is processed by DocuSeal as a data processor acting on Capstacker's behalf, subject to a Data Processing Agreement incorporating appropriate safeguards. DocuSeal's privacy policy is available at docuseal.co/privacy.
Other Subprocessors
Capstacker engages additional subprocessors to support service delivery, including providers of cloud hosting, analytics, customer support tooling, transactional email, and error monitoring. All subprocessors are required to implement appropriate technical and organizational safeguards.
A current list of subprocessors is set out in the Annex to this Privacy Policy and is updated periodically. Material changes to the subprocessor list will be communicated to users as required by applicable law.
4. How We Use Information
We use personal information to:
- Provide and maintain the platform
- Facilitate deal structuring and milestone tracking
- Enable communication between users
- Improve product functionality
- Generate anonymized benchmarks and insights
- Prevent fraud and enforce terms
- Comply with legal obligations
- Identify visitors to our website and send marketing communications to identified individuals, using third-party visitor identification services as described in Section 12
We do not sell personal information.
5. Lawful Bases for Processing (GDPR)
If you are located in the EEA, UK, or Switzerland, we rely on the following legal bases:
- Contractual necessity – to provide platform services
- Legitimate interests – to improve services, prevent fraud, and generate anonymized analytics
- Legal obligation – to comply with applicable laws
- Consent – where optional data is provided or where required
Where we rely on legitimate interests, we do so only where such interests are not overridden by your fundamental rights and freedoms. You may withdraw consent where processing is based on consent.
6. Analytics and Aggregated Data
Capstacker may use anonymized and aggregated deal data to improve the platform and generate market insights. This process involves:
- Removing direct identifiers
- Aggregating data across multiple deals
- Applying minimum aggregation thresholds
- Ensuring no individual deal can reasonably be re-identified
These analytics are used to improve product functionality and may support future benchmarking features. Anonymized insights are used for internal purposes only and are not sold or licensed to third parties.
We do not use identifiable personal data to train external AI models.
We do not make decisions producing legal or similarly significant effects about users solely through automated processing. If automated or AI-assisted features are introduced that materially affect this, this Privacy Policy will be updated prior to deployment.
7. Data Sharing
We may share information:
- Between users – according to visibility settings and active deal participation
- With service providers – under contractual safeguards, as described in Section 3 and the Annex
- For legal compliance – if required by applicable law, regulation, or legal process
- In business transfers – in connection with mergers, acquisitions, financing transactions, or corporate restructuring, where personal data may be transferred as part of company assets
We do not sell personal information or share it for cross-context behavioral advertising.
8. Data Security
We implement reasonable technical and organizational safeguards, including:
- Encryption in transit
- Access controls
- Audit logging
- Role-based permissions
No system is completely secure, and we cannot guarantee the security of any information you provide to us.
In the event of a personal data breach, we will take steps to contain the incident and assess its scope. Where required by applicable law — including under GDPR Article 33, which requires notification to the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach — we will notify the appropriate authorities and, where required, affected individuals. We may also post a notice on our Services or contact affected users by email.
By using our Services, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services.
To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.
9. International Data Transfers
Capstacker operates primarily in the United States. We may transfer, process, and store information in the United States and other jurisdictions where our service providers operate.
Where required under applicable law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses approved by the European Commission. This includes transfers to subprocessors such as DocuSeal, where signed agreements incorporating appropriate transfer mechanisms are in place.
Information may be accessible to courts, law enforcement, and national security authorities of the United States where required by law.
If you are located in the European Economic Area, Switzerland, the United Kingdom, or Brazil, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable law.
10. Data Retention
We retain personal data for as long as reasonably necessary to achieve the relevant processing purposes described in this Privacy Policy, or for as long as required by law.
We generally consider the following factors when determining retention periods:
- Retention periods established under applicable law
- Industry best practices
- Whether the purpose of processing is reasonably likely to justify further processing
- Risks to individual privacy in continued processing
- Costs associated with continued processing and deletion
Reference contact data is retained for a maximum of 90 days following the conclusion of the relevant engagement or account deletion, whichever is earlier.
We may retain limited information following account deletion where necessary to comply with legal obligations, resolve disputes, enforce agreements, or prevent fraud. We will review retention periods periodically and may delete, pseudonymize, or anonymize data held for longer periods.
11. Your Rights
All users may:
- Access their personal information
- Correct inaccurate data
- Delete their account
- Adjust profile visibility
- Opt out of non-essential communications
California Residents
Under the California Consumer Privacy Act (CCPA/CPRA), in the preceding 12 months we have collected categories of personal information including identifiers, professional information, internet activity information, and commercial information as defined under California law. You may request access to or deletion of your personal information. We do not sell personal information.
European Users
Under GDPR, you have the right to:
- Request data portability
- Restrict or object to processing
- Withdraw consent
- Lodge a complaint with a supervisory authority
Requests may be submitted to privacy@capstacker.io.
12. Your Choices
You have choices about certain information we collect about you, how we communicate with you, and how we process certain personal data. When you are asked to provide information, you may decline to do so; but if you choose not to provide information that is necessary to provide some of our Services, you may not be able to use those Services.
Communications Opt-Out
You may opt out of receiving marketing or other communications from us at any time by following the opt-out link or unsubscribe instructions provided in any email message received, or by contacting us at privacy@capstacker.io with "Opt-Out" in the subject line and your name and registered email address in the body. Please note that even if you opt out of marketing communications, you may continue to receive certain transactional or administrative notifications necessary to your use of the Services, such as agreement confirmations or platform notices.
Cookies and Browser Tracking
Capstacker uses cookies and similar technologies to support platform functionality, maintain session state, and collect usage analytics.
We also use a third-party visitor identification service (RB2B) that uses cookies and similar technologies to associate website visits with personal information held in third-party databases, including email addresses. This enables us to send marketing communications to individuals who have visited our website. RB2B acts as a data processor on our behalf. Its privacy practices are described at rb2b.com/privacy-policy.
You may opt out of RB2B's tracking at any time by visiting app.retention.com/optout. If you are located in the EEA or UK and wish to exercise your GDPR rights in relation to RB2B data collection, you may do so at rb2b.com/rb2b-gdpr-opt-out.
You may also opt out of tracking technologies more broadly through your browser's cookie settings, including by blocking, deleting, or restricting cookies. Please note that doing so may affect the performance or functionality of the Services.
If you would like to opt out of Google Analytics, you may do so using Google's opt-out tool at tools.google.com/dlpage/gaoptout.
13. Children's Privacy
Our Services are intended for users who are 18 and over. We do not knowingly collect personal information from anyone younger than 18. If we become aware that a child has provided us with personal information in violation of applicable law, we will use commercially reasonable efforts to delete such information and terminate the account.
14. Other Provisions
Third-Party Websites/Applications. The Services may contain links to other websites or applications not controlled by us. We are not responsible for their privacy practices.
Updates to this Privacy Policy. We may revise this Privacy Policy from time to time. If there are material changes, we will notify you as required by applicable law. Continued use of the Services following notice of such changes constitutes acceptance of the updated policy.
15. Contact
For privacy-related inquiries, requests, or complaints:
Annex — Current Subprocessors
The following subprocessors are engaged by Capstacker to support service delivery. All are required to implement appropriate technical and organizational safeguards. This list is reviewed and updated periodically.
| Subprocessor | Purpose | Location | Privacy Reference |
|---|---|---|---|
| Stripe | Payment processing, KYC/AML, merchant-of-record | United States | stripe.com/privacy |
| DocuSeal | E-signature execution and storage of legally binding agreements | United States / EU | docuseal.co/privacy |
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States (+ global) | aws.amazon.com/privacy |
| Sentry | Error monitoring and performance tracking | United States | sentry.io/privacy |
| Google Analytics | Website usage analytics | United States | policies.google.com/privacy |
| Google Workspace | Transactional email delivery | United States | policies.google.com/privacy |
| Cookiebot (Usercentrics) | Cookie consent management | EU (Denmark) | cookiebot.com/en/privacy-policy |
| RB2B | Website visitor identification for outbound marketing | United States | rb2b.com/privacy-policy |
To request notification of changes to this subprocessor list, or to request the most current version, contact privacy@capstacker.io.